From c29d15c70d0eda9d7ffe26a0ccc181f4f0a07ca5 Mon Sep 17 00:00:00 2001 From: Cristy Date: Thu, 14 Sep 2017 07:43:22 -0400 Subject: [PATCH] ... --- coders/yuv.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/coders/yuv.c b/coders/yuv.c index e74800aa5..a203ea768 100644 --- a/coders/yuv.c +++ b/coders/yuv.c @@ -124,10 +124,13 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) ssize_t count, horizontal_factor, - quantum, vertical_factor, y; + size_t + length, + quantum; + unsigned char *scanline; @@ -201,6 +204,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) (size_t) quantum*sizeof(*scanline)); if (scanline == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + status=MagickTrue; do { chroma_image=CloneImage(image,(image->columns+horizontal_factor-1)/ @@ -235,7 +239,17 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) if (interlace == NoInterlace) { if ((y > 0) || (GetPreviousImageInList(image) == (Image *) NULL)) - count=ReadBlob(image,(size_t) (2*quantum*image->columns),scanline); + { + length=2*quantum*image->columns; + count=ReadBlob(image,length,scanline); + if (count != (ssize_t) length) + { + status=MagickFalse; + ThrowFileException(exception,CorruptImageError, + "UnexpectedEndOfFile",image->filename); + break; + } + } p=scanline; q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); if (q == (Quantum *) NULL) @@ -290,7 +304,17 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) else { if ((y > 0) || (GetPreviousImageInList(image) == (Image *) NULL)) - count=ReadBlob(image,(size_t) quantum*image->columns,scanline); + { + length=quantum*image->columns; + count=ReadBlob(image,length,scanline); + if (count != (ssize_t) length) + { + status=MagickFalse; + ThrowFileException(exception,CorruptImageError, + "UnexpectedEndOfFile",image->filename); + break; + } + } p=scanline; q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); if (q == (Quantum *) NULL) @@ -337,7 +361,15 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) { for (y=0; y < (ssize_t) chroma_image->rows; y++) { - count=ReadBlob(image,(size_t) quantum*chroma_image->columns,scanline); + length=quantum*chroma_image->columns; + count=ReadBlob(image,length,scanline); + if (count != (ssize_t) length) + { + status=MagickFalse; + ThrowFileException(exception,CorruptImageError, + "UnexpectedEndOfFile",image->filename); + break; + } p=scanline; q=QueueAuthenticPixels(chroma_image,0,y,chroma_image->columns,1, exception); @@ -373,7 +405,15 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) } for (y=0; y < (ssize_t) chroma_image->rows; y++) { - count=ReadBlob(image,(size_t) quantum*chroma_image->columns,scanline); + length=quantum*chroma_image->columns; + count=ReadBlob(image,length,scanline); + if (count != (ssize_t) length) + { + status=MagickFalse; + ThrowFileException(exception,CorruptImageError, + "UnexpectedEndOfFile",image->filename); + break; + } p=scanline; q=GetAuthenticPixels(chroma_image,0,y,chroma_image->columns,1, exception); @@ -463,6 +503,8 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) } while (count != 0); scanline=(unsigned char *) RelinquishMagickMemory(scanline); (void) CloseBlob(image); + if (status == MagickFalse) + return(DestroyImageList(image)); return(GetFirstImageInList(image)); } -- 2.40.0